Backup, Recovery & Datamigration

Overview how backup, recovery and datamigration work in within kubriX.

High-Level Tooling Overview

Velero provides Kubernetes-native backup, restore, and data migration.

Velero UI provides simplified Velero backup and restore workflows through a more intuitive, visual interface. It provides a central place for managing backups, restores, scheduling, alerts, and multi-cluster visibility.

Velero

This document describes how Velero works with kubriX, how to configure it via Helm values (Example: values-k3d.yaml), and the difference between backups with and without the CSI Data Mover.

Overview

Velero supports multiple data protection strategies:

• Filesystem Backup (FSB):
  Pod volumes are backed up file-by-file using Kopia.
• CSI Snapshot without Data Mover:
  A storage snapshot reference is created, no data copied.
• CSI Snapshot with Data Mover:
  Snapshot is created and data is uploaded to object storage (via Kopia).
  • Velero creates DataUpload CRs.
  • Node-agent pods copy data to BackupStorageLocation (BSL).
  • Restores generate DataDownload CRs to fetch data back.

Kopia is now Velero’s default data mover for file system backups.

Key Custom Resources

• BackupRepository – manages Velero repositories per namespace, backed by Kopia.
• PodVolumeBackup – represents a filesystem backup operation for pod volumes.
• DataUpload / DataDownload – represent data movement to and from object storage when using CSI snapshots with Data Mover.

Default Values: values-k3d.yaml

Below are the default values for Velero on k3d as used in platform-apps/charts/velero/values-k3d.yaml.

velero:
  nameOverride: velero
  fullnameOverride: velero

  initContainers:
    - name: velero-plugin-for-aws
      image: velero/velero-plugin-for-aws:v1.12.2
      imagePullPolicy: IfNotPresent
      volumeMounts:
        - mountPath: /target
          name: plugins

  metrics:
    serviceMonitor:
      enabled: true
    nodeAgentPodMonitor:
      enabled: true
    prometheusRule:
      enabled: true

  crdjob:
    resources:
      requests:
        cpu: 128m
        memory: 128Mi
      limits:
        cpu: 128m
        memory: 128Mi

  configuration:
    backupStorageLocation:
      - name:
        provider: aws
        bucket: velero
        default: true
        credential:
          name: velero-cloud-credential
          key: cloud
        config:
          region: minio
          s3ForcePathStyle: true
          s3Url: https://sx-minio.minio.svc.cluster.local:9000
          publicUrl: https://minio.127-0-0-1.nip.io
          insecureSkipTLSVerify: true # temp for minio/local deployment
    volumeSnapshotLocation:
      - name:
        provider: aws
        config:
          region: minio
    uploaderType: kopia
    features: EnableCSI
    defaultVolumesToFsBackup: true

  serviceAccount:
    server:
      create: true
      name: velero

  snapshotsEnabled: false
  deployNodeAgent: true

Key Settings Explained

• Plugins
  • AWS and Azure plugins are preloaded as init containers.
• Metrics
  • Prometheus monitoring enabled for service, node agent, and rules.
• Backup Storage Location
  • Uses MinIO (S3-compatible) at sx-minio.minio.svc.cluster.local:9000.
  • Public access via https://minio.127-0-0-1.nip.io.
  • TLS verification disabled for local deployment.
• Volume Snapshot Location
  • Defined with AWS provider, pointing to region: minio.
• Uploader Type
  • Set to kopia, enabling file system backups.
• Features
  • EnableCSI feature gate active.
  • defaultVolumesToFsBackup: true ensures all volumes default to FS backup for local development, false(default) when using datamover
• Snapshots
  • snapshotsEnabled: false → CSI snapshots themselves are disabled for local development
  • Backups rely on filesystem backup via Kopia instead.
• Node Agent
  • deployNodeAgent: true ensures node-agent pods run on each node for Kopia backups.

Backup: With vs. Without Data Mover

Strategy	Description	Data Handling
Filesystem Backup (FSB)	Pod volumes backed up using Kopia.	Kopia uploader copies files.
CSI Snapshot (no Data Mover)	Creates a CSI snapshot reference only.	No data copied; restore depends on snapshot.
CSI Snapshot + Data Mover	Creates CSI snapshot and copies data to object storage.	DataUpload/DataDownload with Kopia.

Key Differences

• With Data Mover

  • Data durability: stored in object storage.
  • Portable: restores work even if snapshot infra is lost.
  • Requires node-agent pods and CR management.

• Without Data Mover

  • Faster, snapshot-only.
  • Restore requires CSI snapshot infrastructure to exist.

Example Commands:

# Demo Application
kubectl apply -f https://raw.githubusercontent.com/vmware-tanzu/velero/refs/heads/main/examples/nginx-app/with-pv.yaml

❯ kubectl get all,pvc -n nginx-example
Warning: kubevirt.io/v1 VirtualMachineInstancePresets is now deprecated and will be removed in v2.
NAME                                    READY   STATUS    RESTARTS   AGE
pod/nginx-deployment-5fdd5585fd-8fzd4   2/2     Running   0          44s

NAME               TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)        AGE
service/my-nginx   LoadBalancer   10.248.3.50   154.41.192.85   80:31570/TCP   44s

NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginx-deployment   1/1     1            1           44s

NAME                                          DESIRED   CURRENT   READY   AGE
replicaset.apps/nginx-deployment-5fdd5585fd   1         1         1       45s

NAME                               STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
persistentvolumeclaim/nginx-logs   Bound    pvc-3adb798c-afe0-4df7-9375-e99ff45e6d6f   1Gi        RWO            premium        <unset>                 47s


# Normal Backup
❯ velero backup create nginx-backup --include-namespaces nginx-example
Backup request "nginx-backup" submitted successfully.
Run `velero backup describe nginx-backup` or `velero backup logs nginx-backup` for more details.

# example with Data Mover
❯ velero backup create nginx-backup-dm --include-namespaces nginx-example --snapshot-move-data

Velero UI (VUI)

This document describes how Velero UI works with kubriX, how to configure it via Helm values (Example: values-k3d.yaml).

Overview

VUI supports different Operation models, kubriX currently uses Single Cluster Mode for simplicity.

Features

• Intuitive dashboard with multi-cluster management
• Real-time notifications and cron heatmaps
• Storage insights and Kopia operations

Architecture

Component	Description
vui-ui	Front-end web interface
vui-api	Backend API integration with Velero/K8s
vui-watchdog	Monitoring & alert service
vui-core	Optional core for multi-cluster orchestration

Default Values: values-k3d.yaml

Below are the default values for Velero UI for k3d as used in platform-apps/charts/velero-ui/values-k3d.yaml.

vui:
  global:
    veleroNamespace: velero
    clusterName: "kubrix"

  apiService:
    config:
      apiEnableDocumentation: true
    secret:
      existingSecret: velero-ui-credential

  exposure:
    mode: ingress
    ingress:
      ingressClassName: nginx
      metadata:
        annotations:
          cert-manager.io/cluster-issuer: mkcert-issuer
      spec:
        tls:
          - secretName: velero-ui-tls
            hosts:
              - velero-ui.demo.kubrix.cloud

Key Settings Explained

• Global
  • veleroNamespace as reference
• Secrets
  • get Secrets from SecretStores.

Which Resources should get backuped for kubriX platform

Opt-In Resources

Other resources (also applications) can opt-in by defining a label backup.kubrix.io/tier and a value from critical, standard or archive.

tier	ttl	Description
standard	14 days	daily
weekly	12 weeks	every sunday 3 AM
critical	7 days	every 6h (0,6,12,18)

💡 Extra tip: If you can’t label every resource directly, you could label the namespace with backup.kubrix.io/tier=critical → Velero selectors will match all objects in that namespace.

Kargo

Kargo creates freights and promotions. If they are lost you loose your freight line and your promotion state of the pipeline, see https://github.com/akuity/kargo/discussions/3126 .

• Freight.kargo.akuity.io
• Promotion.kargo.akuity.io

Activate KargoBackup

By default this function is disabled, to enable adapt kyverno helm values file:

kyvernoPolicies:
  createKargoBackup:
    enabled: true

Each change per Namespace triggers Velero Backup platform-apps/charts/kyverno/templates/policy-add-kargo-backup.yaml Default TTL for kargo backups is 7 days, if you want to reduce the amount of backups in lower stages please add label to kargo-project namespace:

  labels:
    backup.kubrix.io/kargo-ttl: 10h0m0s

Additional Informations

Limitations

Kopia may not fully preserve:

• setuid/setgid bits
• Hard links
• ACLs and extended attributes
• Sockets, mount points, etc.

Velero build-in data mover has some limitations

Important Note

do NOT CHANGE repository password after you create velero backup with datamover option!

References

• Volume Snapshot Datamovement
• Unified Repository & Kopia Integration Designed
• Plugin Progress Monitoring
• VUI Official Documentation
• SerioHub VUI GitHub Repos